AWS CloudTrail Expands Auditing of API Calls

Amazon Web Services (AWS) has considerably increased the number of services supported by AWS CloudTrail to cover the majority of the extensive AWS service portfolio. This now includes most compute and networking and all deployment and management services, thereby providing comprehensive end to end auditing of almost any changes to customer’s infrastructure.

AWS has also expanded CloudTrail coverage to the US West (Northern California), EU (Ireland) and Asia Pacific (Sydney) regions after initially offering the service in US East (Northern Virginia) and US West (Oregon). CloudTrail is "scheduled to soon support" the remaining globally accessible regions.

AWS CloudTrail records all API calls made in an AWS account no matter of their origin, be it the AWS Management Console, the AWS Command Line Interface or third party applications using any of the various AWS SDKs. It stores the resulting log files in an Amazon S3 bucket in JSON format and provides optional notification to an Amazon SNS topic each time a file is published so that third party and custom log analytics solutions can avoid polling and ingest new log files on arrival instead.

The various logging and auditing use cases include security analysis, change tracking, compliance aid and operational troubleshooting. For example, several third party monitoring and analytics providers offer correlation of CloudTrail events with application performance monitoring charts, possibly identifying changes to AWS resources that might have caused or impacted an observed performance regression.

What was the API call? – API call and service, e.g. 'RunInstances' on EC2

What were the resources that were acted up on in the API call? – request parameters and partial response elements (results from read-only call results like Describe*, Get*, List* are excluded to prevent event size inflation)

Where was the API call made from? – apparent caller IP address and target region

AWS CloudTrail is one of the most important services for enterprise customers that Amazon has released in recent times. The collected logs support the compliance with government regulations by allowing recording of all accesses to AWS services. One can operate more successful security audits […], identifying the precise origin of vulnerabilities and unauthorized or erroneous hits on data.

CloudTrail "delivers an event within 15 minutes of the API call" and the resulting "log files to your S3 bucket approximately every 5 minutes". This renders it unsuitable for tight real-time operational and security monitoring, however, near real-time change tracking, security analysis and operational troubleshooting are still guaranteed.

Log files can be aggregated across AWS regions and even multiple AWS accounts for operational and security reasons. For example, one might want to consolidate audit logging from development and production accounts to a dedicated auditing account with an even higher security profile and limited staff access, similar to how a consolidated billing account is used to isolate billing and cost management to dedicated stakeholders.